Cisco Firewall :: ASA 5520 - With 99 Percent CPU Usage / Lot Of Shunning?
Oct 18, 2011
Im running ASA 8.0(3) on Active/StandBy failover pair.Last night I realized the CPU usage of my production ASA was 99%,,, on the ASDM Firewall Dashboard I can see counters like this:
Dropped Packet Rate (ACL Dropped) = 6000+ (more than 6 thousand)
Scanning Attacks = 18600+ (more than Eighteen thousand)
I went on the ASDM and checked the RealTime Log viewer and I have about 30 entries per second of these:
4Oct 19 201111:35:12401004Shunned packet: 10.64.10.1 ==> 10.64.0.1 on interface NewLAN
[code]...
View 1 Replies
ADVERTISEMENT
Jul 27, 2011
I have an ASA 5520 with a CSC-SSM modul,the problem is when i am logging in to my ASDM, on the content security monitoring, it's showing the CPU and memory are at 100%(CSC) but when i directly connect csc-ssm MODULE it comes down,so is it problem with ASDM , java OR csc.
View 5 Replies
View Related
Mar 20, 2013
We are running Cisco 6509-e and we are running load test and when traffic reach 80 mbps switch start reponding very slow. I checked CPU usage and it was using 100% and connection to the switch from outside to inside are 80K. once connection dropp Cisco release CUP and it start responding normal. [code]
View 4 Replies
View Related
Aug 13, 2011
I installed a CSC-SSM-20 module on ASA 5510. After policy services have been enabled, services works well for a few minutes, after that the cpu usage's module rise to 100% and all http traffic is wholy blocked, till the cpu usage go down.This happens very frequently and traffic stay blocked for such a long time that it makes the csc-ssm module unusable. It's disabled right now. ASA version is 8.2(1)and CSC-Module version is 6.6.1172.0.
View 1 Replies
View Related
Apr 7, 2013
whenever I setup URL filtering in 1841 router with policy-map type http and zone-pair command, I experience 100% CPU spike. is there any workaround?
View 1 Replies
View Related
May 8, 2012
Our company’s Cisco ASA 5520 CPU usage drastically increased up to 93% after installing the antivirus our company purchased. Upon entering the show commands, which I will post the result later, it shows that the “Dispatch Unit is very high. I tried to clear the conn of each IP address that has very high bytes, but nothing happened.
INTFW(config)# show proc cpu-usage sorted non-zero
PC Thread 5Sec 1Min 5Min Process
081aa324 6bdaf870 81.3% 81.5% 81.4% Dispatch Unit
[Code]....
View 28 Replies
View Related
Mar 10, 2013
Can I use this memory in my 5520 firewall? ASA5510-MEM-1GB=.
View 1 Replies
View Related
Dec 20, 2012
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
View 2 Replies
View Related
Feb 13, 2013
I'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 8.2.5.33 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error..So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
View 2 Replies
View Related
Jun 25, 2012
I'm trying to install a Gateway in Red Hat Linux to Cisco Smart Call Home Service, and reading about this in google, i find this info:Smart Call Home on the ASA This is much more simply to configure and operate.I want to know what solution is more recomended and why.
View 1 Replies
View Related
Apr 3, 2013
however recently when i check my internet usage log on my wireless company (Rogers) the usage is totally off from what my bandwidth tracker shows me. So i decide to turn off my wifi and see what happens, there has always been this weird wifi connection appearing whenever my wifi appears, then afterwards when i turn off my wifi the suspicious wifi connections disappear. is this possible that someone is using our wifi? i might just be overreacting but it has brought me to concern that if the usage continues my family will have to end up paying over $30 for extra internet use. it is very frustrating me because when i check my DHCP client table it only shows 3 connection, ethernet - my desktop which is not turned on, 2 wireless connection - my laptop and my sister's laptop.
View 6 Replies
View Related
Feb 16, 2013
I decided to migrate to ASA 8.4(5) from 7 and everything went very well with the exception of this one issue. All ACL and NAT for our various remote desktop servers work perfectly as long as the servers are running an RDP server version greater than 5.2. For instance, Server 2008 machines (or Win 7 Pro desktops) work perfectly as configured; however, Server 2003 machines (or WinXP Pro desktops) will not. I'm using manual, static NAT for the object to avoid automatic NAT issues.
The client computer displays the non-vista warning message, "The indentity of the remote computer cannot be verified...", but then fails to properly connect stopping at the "Configuring remote session..." status message. The ASA log shows that it built the TCP, then it displays a teardown with reason TCP Reset-I.
I can use a working ACL and NAT (using default TCP 3389 for instance) with a Server 2008 at IP 192.168.15.10 and move a Server 2003 machine to that same IP without touching any configuration at the firewall and it fails. Move the Server 2008 machine back to that IP and it works perfectly (both set at Port 3389 of course).
Here is the relevant info from the config that I am using for this:
------------------------------------------
object network RDPServer
host 192.168.15.10
object service RDP
service tcp source eq 3389
access-list out2in line 1 extended permit tcp any object 192.168.15.10 eq 3389
nat (inside,outside) 1 source static RDPServer interface service RDP RDP,The above works pefect as long as a server 2008 machine is at the IP, but fails with a server 2003 machine at the IP.
View 3 Replies
View Related
Jul 3, 2012
I am currently working with ASA 5585 with several contexts. What is the percentage of the CPU used per context. I already have the opportunity to do it for the whole ASA (context admin) using the SNMP mib CISCO-PROCES but, unfortunalty, this mib doesn't allow us to know the percentage of used CPU per context.
I was able to know the number of core used per context but not the percentage of the CPU used.
View 6 Replies
View Related
Oct 24, 2012
One of our firewalls - Cisco ASA 5550 8.4.3 - has got a problem. Our monitoring system requests the cpu usage on the box and from time to time we got an error. It was now possible to catch the error message - the output of show cpu usage looks like on the attached picture.We did not found something in the know bugs neither in the "Resolved Caveats in ASA Version 8.4(4.1) ".
View 1 Replies
View Related
Jan 28, 2013
I have configured an ASA 5510 and 2960S 48 port switch in a lab environment. I have two laptops connected to seperate subinterfaces with server 2003 as dhcp server for one network. Everything has been working fine as we have been testing the ASA while also testing the csc smm module. When we came in today we noticed the csc module cpu is running at 100% constantly and http traffic is extremely slow. I have not yet received my smartnet contracts from the vendor or I would open a TAC case and I have read on the net that this is a common problem.
View 1 Replies
View Related
Jan 20, 2013
I recently reboot my asa 5520, I was trying to remove webvpn listening from my outside nic, even though it wasn't configured. [code]I was planning to do another reload without the fast reload option.
View 1 Replies
View Related
Feb 26, 2012
I have ASA that just started to reboot through out the day yesterday. It seems to happen every few hours but not in a pattern.Right before it reboots there is a flood of sys log id 305006 messages "portmap translation creation failed for tcp src inside:xxx dst outside:xxx the xlats go from around 2-3k to about 30+k then crash.Memory ussage is already pretty high normally on this device (about %75 used) CPU is around %15-20 I notice that the portmap translation errors are always from 3 inside host.
View 4 Replies
View Related
Feb 3, 2011
Today I upgraded my Cisco ASA 5505 ASDM from version 6.34 to 6.41 cause of some problems on old version with NetFlow. But now when I switch to dashboard i can not see "Top Usage" tab. That was quite usefull for me. It simply disappeared.
Can i somehow configure which tabs are displayed on dashboard ? I really need that one and I do not want to downgrade :/
View 7 Replies
View Related
Feb 15, 2012
I've multiple FWSMs running. The funny thing: When I do a "show resource usage" I have one blade showing a "Conns [rate]" and "Syslogs [rate]" values and one blade isn't.
SSH 4 5 15 0 admin
Syslogs [rate] 1 437 unlimited 0 admin
Conns 149 23465 unlimited 0 admin
Xlates 154 2877 unlimited 0 admin
Hosts 154 2877 unlimited 0 admin
Mac-addresses 6 7 65535 0 admin
All modules are running the same software version 3.2(10).And the even more funny thing is: on one blade I have different output for all the contexts on it.What's the reason for that behaviour? A bug?
View 2 Replies
View Related
May 24, 2012
I seem to get conflicting information on using the Management port as a regular routed interface on the ASA5510..The management interface can be used for the traffic that passes through the firewall as well. The Security Plus License for the ASA 5510 is required in order to use the management0/0 port as a regular interface. With a base license on the 5510, the management0/0 port cannot be used as a regular interface.
I believe that I saw another post that mentioned it was part of the standard IOS if you had a later version.
View 2 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
Nov 19, 2012
I am having a Cisco 4507 switch. The CPU on the switch is running between 50% to 60% constantly. To troubleshoot I collected some logs using debugs & show commands.
debug platform packet all receive buffer
show platform cpu packet buffered
debug platform packet all count
show platform cpu packet statistics
show processes cpu sorted | exc 0.00
show platform health
show platform cpu packet statistics
show platform health output shows the below process crossing the target value.
%CPU %CPU RunTimeMax Priority Average %CPU Total
Target Actual Target Actual Fg Bg 5Sec Min Hour CPU
Stub-JobEventSchedul 10.00 13.41 10 47 100 500 13 13 10 5462:52
K2PortMan Review 3.00 5.35 15 11 100 500 4 4 3 1799:47
What I need to know is, though these process are running in Low Priority, will there be any issue if the CPU goes high due to these process.
View 1 Replies
View Related
Nov 6, 2012
I have just finished installing LMS 4.2 on a new VM (Windows 2008 R2 Standard Edition SP1). I have already reloaded the server, all LMS services have correctly started. However, the process CS_sm_server.exe still using 100% CPU.Windows 2008 R2 Standard Edition SP1
View 6 Replies
View Related
Apr 2, 2013
We have two offices connected using Site-to-Site VPN (IPSEC) as shown:(IP ficticius)Office 1 - We had to use 2 routers since we have a range of valid IPs: From a host in office 2 we normally ping 192.168.102.1 (gateway at office 1),But when pinging a host inside office 1 (eg: 192.168.102.8) 50% of packets have been lost.Could it be a hardware problem?
View 1 Replies
View Related
Jan 3, 2010
I am working at a client site that is an MPLS customer. The customer has an MPLS circuit that runs between their Main HQ and their Disaster Recovery site. I have been asked to analyze and report as well on the way the Qos Policy is written, and to provide any recommendations on how they can improve performance.There is a statement within the Qos Policy as it exists at each end on the 3825 routers. The statement is called "shape average percent". Here is the policy from one side:
policy-map QoS
class COS2_traffic
set dscp af31
shape average percent 12
bandwidth percent 13
[code]....
What does this statement mean and how is it different than the the "bandwidth percent" statement?
View 2 Replies
View Related
Jan 15, 2012
I have two switches that always are with yours CPU in 39 or 40 %. the switches are:
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC3b, RELEASE SOFTWARE (fc1)
I think it's very strange the CPU always in 39 or 40 %. neither all ports of the switches are busy there are 6 ports free in each switch. 40 % I think it is a high value for CPU maybe because my IOS version 12.0 ?
View 2 Replies
View Related
May 29, 2012
after IOS upgrade to 15.x on Cisco2811 MEM util raised from 20% to 43%. Is it critical?Which level of MEM utilization is critical?
View 6 Replies
View Related
Mar 14, 2013
Whenever i try to download an exe file from the internet, its just get stuck at 99%. It doesn't happen with .rar or any other file. Not to mention, I was able to download net fremwork 4.0 exe installer though. I tried these things: Used different browsers. Used different download managers. Disabled firewall and AV.
View 1 Replies
View Related
Sep 12, 2011
I have ATT DSL and pretty much every night, I lose a large portion of the Internet. I cannot ping these sites, while the rest of the net works fine. The other night, I could not ping major domains like ATT, CNN, MSNBC, BBC (a chronic missing domain). On the other hand, I could get Yahoo fine and go to a streaming audio site and run music perfectly...but about 90% of the Internet was unreachable. Could not load their sites nor ping them in command line. The other 10% worked flawlessly.
View 12 Replies
View Related
Apr 16, 2012
We have a client that has a large number of AIR-AP1252AG-N-K9 installed in the network with power injectors. We have seen a about 48% failure rate of AP's failing with all 3 red lights on the unit. Once I get the AP in the lab I'm unable to get any response from the console, therefore unable to troubleshoot.
View 3 Replies
View Related
Sep 23, 2009
Trying to update my firmware 1.00.01 B15 to 1.00.01 B17. I downloaded the firmware to my desktop (using mac os X 10.5.5) and connected my computer directly to port 1 on the back of the router. I used the Firmware upgrade tool under the Administration tab to upload the new firmware file. The update progress starts but fails at 98%
View 4 Replies
View Related
Feb 27, 2013
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
View 5 Replies
View Related
May 5, 2013
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies
View Related